Privacy Policy

1. Who we are

Aced is a learning platform for students aged 11 to 18, operated at aced.academy and through our iOS and Android apps. The service is provided by Altumo, Inc. (“Altumo,” “we,” “us”). In this policy, “Aced” means the service, and “Altumo” means the company that runs it.

Aced is family-scoped. An adult facilitator — typically a parent, guardian, or teacher — creates an account and invites students. Students only access Aced through an invitation from their facilitator. The facilitator is the account holder and is responsible for the students under their account.

2. What we collect

We collect only what we need to run a personalized learning experience. Specifically:

From facilitators

• Email address (required for sign-in and notifications)
• Name, if you choose to provide one
• An age affirmation that you are 18 or older
• Authentication identifiers issued by our identity provider (session tokens, user ID)
• Billing information when you upgrade to a paid plan, handled by our payment processor (we do not store card numbers)

From students

• Email address used to accept the facilitator’s invitation
• Given name or display name (optional)
• Date of birth or age band, so we can apply the right protections for minors
• Learning activity: sessions started and completed, answers submitted, XP earned, streaks, and achievements
• Study material you upload — photos of worksheets, PDFs, notes, and similar content used to generate activities
• Authentication identifiers from our identity provider

Automatic technical data

• Device metadata: platform (web, iOS, Android), app version, operating system version, and device model
• IP address and approximate region, used for security and rate-limiting
• Diagnostic logs and error reports, with personal identifiers minimized where feasible

We do not set advertising cookies and we do not build behavioral profiles.

3. How we use data

• Deliver the learning experience. We use study material and activity data to generate sessions, score answers, and award XP.
• Personalize activities. Past performance informs difficulty, pacing, and topic mix — within the family account only. We never personalize across families.
• Send transactional email. Sign-in links, session summaries, and important account notices.
• Keep the service secure. We log sign-ins, detect abusive behavior, and rate-limit suspicious requests.
• Improve the product. We review aggregated, de-identified usage data. We do not include usage from users under 13 in product analytics.

4. Legal basis for processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar laws, we rely on these legal bases:

• Performance of a contract — to provide the service you or your facilitator signed up for.
• Consent — for processing that requires it, such as collecting data from a child under the applicable age of digital consent. Consent can be withdrawn at any time.
• Legitimate interests — for security, fraud prevention, and limited product analytics where those interests are not overridden by your rights. We do not rely on legitimate interests to process children’s data beyond what is needed to deliver the service.
• Legal obligation — when we must keep records for tax, contract, or safety reasons.

5. Data from children

United States — COPPA

The U.S. Children’s Online Privacy Protection Act (COPPA) applies to personal information we collect from children under 13. Aced is designed so that children under 13 can only access the service after an adult facilitator creates the account and invites them. When a facilitator adds a student under 13, they must provide verifiable parental consent by:

• Confirming they are the child’s parent or legal guardian
• Entering their full legal name as the consenting adult
• Acknowledging the categories of information we will collect from the child and how it will be used

The date and time of consent is recorded on the student record. We collect nothing about a child under 13 until consent is captured.

At any time, a facilitator can review the data tied to a child under 13, correct it, or delete it from the Settings area of their account, or by writing to [email protected]. You can also refuse to permit further collection by deleting the student profile, which purges the child’s data within 30 days.

European Union — GDPR-K (Article 8)

In the EU, the default age of digital consent is 16. Some member states have set a lower age — as low as 13 — so the local threshold varies. For any student under the applicable local threshold, consent must come from the holder of parental responsibility. We rely on the facilitator’s confirmation that they hold that responsibility when inviting the student.

If you believe a student has joined Aced without proper parental consent, write to [email protected] and we will investigate and delete the account if appropriate.

Schools using Aced (FERPA)

Where a school, district, or teacher invites students under a school-issued facilitator account, we act as a service provider to the school under the U.S. Family Educational Rights and Privacy Act (FERPA). In that case the school is responsible for obtaining any parental notice or consent required by law, and our processing is limited to what the school has authorized.

6. How we share data

We share data with a small number of service providers who run parts of the platform on our behalf. They are bound by contract to process data only for Aced and only for the purposes below:

• Identity and authentication provider — manages sign-in, session tokens, and password-equivalent credentials. We never see or store your password directly.
• Cloud hosting and database providers — run the servers and databases that store account data, sessions, and uploaded study material.
• Workflow orchestration provider — coordinates asynchronous jobs such as processing an uploaded worksheet into a session.
• Large language model (LLM) providers — we send prompts that can include excerpts of uploaded study material or student answers so the model can generate explanations, questions, and feedback. These providers process prompts to return a response and, under our contracts with them, do not train their public models on the data we send. Some providers retain prompts briefly for abuse monitoring as described in their own terms.
• Transactional email provider — delivers sign-in emails and account notices.
• Error and performance monitoring — collects diagnostic data when something breaks. We do not include users under 13 in product analytics.

We may also share data when we are legally required to (for example, a valid subpoena), or to protect the safety of a user or the integrity of the service.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use student data to target ads.

7. Data retention

• Active accounts — we retain account data, learning activity, and uploaded material for as long as the family account is active.
• Deleted accounts — when you delete a family account or a student profile, we purge the data from our primary systems within 30 days. Encrypted backups are rotated out on a regular schedule after that.
• Legal and financial records — we keep invoices, contracts, and related records for as long as applicable tax and contract law requires.
• Security logs — sign-in and audit logs are kept for a limited period for fraud prevention and incident response.

8. Security

We protect data with encryption in transit (HTTPS/TLS), encrypted storage at the database and object-storage layer, hardened access controls, and audit logging for sensitive operations. Passwords and session credentials are handled by our identity provider; Aced staff never see user passwords.

No online service can promise perfect security. If we ever discover a breach that affects your data, we will notify affected facilitators and, where required, regulators, within the timeframes set by applicable law.

9. Your rights

Depending on where you live, you have some or all of the following rights over your personal data:

• Access the data we hold about you
• Correct data that is inaccurate or incomplete
• Delete your data
• Port your data — receive a copy in a machine-readable format
• Object to or restrict certain processing
• Withdraw consent where we rely on consent
• Complain to your local data protection authority, if you are in the EU, EEA, or UK

United States — state privacy laws

Residents of California (CCPA/CPRA) and of other U.S. states with comprehensive privacy laws have rights to know, delete, correct, and limit the use of their personal information. We do not sell or “share” personal information as those terms are defined under California law.

Parents and guardians (COPPA)

Parents and guardians can review the personal information we have collected from a child under 13, ask us to delete it, or refuse to permit further collection. Use the Settings area of your facilitator account, or contact [email protected].

To exercise any right, write to [email protected]. We will verify the request against the account and respond within the timeframes set by applicable law.

10. How to delete data

Facilitators can delete a single student profile or the entire family account from the Settings area. Both actions trigger the same pipeline:

1. The account or profile is marked for deletion and immediately hidden from the app
2. Identifying data and uploaded material are purged from primary systems within 30 days
3. The deletion event is logged so we can show auditors that the request was honored

If you cannot access the account — for example, you have lost access to the facilitator email — email [email protected] and we will verify your identity and complete the deletion on your behalf.

11. International transfers

Aced is operated from the United States and our service providers are located in several countries. When we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum or Swiss equivalent where applicable), together with supplementary safeguards appropriate to the risk. Where an adequacy decision applies — for example, transfers covered by the EU-U.S. Data Privacy Framework — we rely on that decision.

12. Children outside the United States

In the EU the default age of digital consent is 16, with some member states setting a lower age. In the UK it is 13. Other jurisdictions have their own thresholds. In each case, we rely on the facilitator who invites the student to confirm they hold parental responsibility and to provide any consent the local law requires. If your local law sets a higher bar than we describe here, that higher bar applies.

13. Changes to this policy

We will update this policy from time to time. For material changes — for example, a new category of data or a new sharing purpose — we will give facilitators at least 30 days’ advance notice by email and update the effective date at the top of this page. Minor clarifications take effect when posted.

14. Contact

Questions, requests, or concerns about this policy or our data practices:

• Email: [email protected]
• Postal address: to be added once confirmed by counsel. In the meantime, please use the email above.

15. Data Protection Officer and EU representative

We will appoint a Data Protection Officer and, where required, an Article 27 EU representative. In the meantime, please direct GDPR, UK GDPR, and Swiss FADP inquiries to [email protected].